Cracking Tutorial
#71:
Anti-EyeStrain 2.71
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 08/2002
[difficulty:] beginner
[where:]
http://www.optiergo.com/en/aes/
[tOOLz:] W32dasm 8.93 & Hiew
KANAL23 Tutorial
|
Anti-EyeStrain 2.71 |
|
|---|---|
|
Download it from |
|
|
Written by |
sLeEpY¿ |
|---|
|
Tools |
|
|---|
|
Rating |
|
|---|
|
Introduction |
|---|
Word and stuff, what another long depressing
day. I'm hung-over and bored so here is the latest target.
Anti-EyeStrain 2.71 (c) Opti-Ergo
What the hell my eyes get burned out by this stupid monitor so might as well
attack this prog.
Retail Value..: $30.00
Futility released this one on 7-21-02 but for some reason I didn't get their
crack with the release, instead I got some crack from TEAM LUCiD but I have time
here at work and the only reason I get these progs is to crack them. So screw
the crack and lets patch this ourselves! First make the 3 backups and then
disassemble the one with w32dasm and lets run the app and see our crappy
protection.
|
The Essay |
|---|
Ok first we have a nag at startup, then when we try to run the main part of the
program we have that nag again, also we cant register the program for some
reason (?!?) because of this license thing. Finally in the about box it says
unregistered blah blah
First lets make it register whatever user we like. Look for the "Sorry, wrong
registration code" error bug that pops up whenever we put in our name and it
will drop you below!:
:0040E652 E8F9FCFFFF call
0040E350
:0040E657 83C408 add esp, 00000008
:0040E65A 85C0 test eax, eax
:0040E65C 0F8554010000 jne 0040E7B6
<-jump to happy merry go round
land!
:0040E662 8D4C2418 lea ecx, dword ptr [esp+18]
* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:0040E666 E87F210000 Call 004107EA
* Possible Reference to String Resource ID=00197: "Sorry, wrong registration
code and/or user name. Please type"
|
:0040E66B 68C5000000 push 000000C5
<-START HERE!!!!!!!!
:0040E670 8D4C241C lea ecx, dword ptr [esp+1C]
:0040E674 C68424E00100000E mov byte ptr [esp+000001E0], 0E
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040E65C(C)
|
* Possible StringData Ref from Data Obj ->"USER_0"
|
:0040E7B6 68B4754100 push 004175B4
<-land here from above
* Possible StringData Ref from Data Obj ->"LastID"
|
:0040E7BB 68E4794100 push 004179E4
:0040E7C0 8D542410 lea edx, dword ptr [esp+10]
* Possible StringData Ref from Data Obj ->"UserID"
|
:0040E7C4 68AC754100 push 004175AC
:0040E7C9 52 push edx
:0040E7CA B9607C4100 mov ecx, 00417C60
* Reference To: MFC42.Ordinal:0DC2, Ord:0DC2h
|
:0040E7CF E810200000 Call 004107E4
:0040E7D4 8D442408 lea eax, dword ptr [esp+08]
:0040E7D8 B9307D4100 mov ecx, 00417D30
:0040E7DD 50 push eax
:0040E7DE C68424E001000002 mov byte ptr [esp+000001E0], 02
* Reference To: MFC42.Ordinal:035A, Ord:035Ah
|
:0040E7E6 E8F31F0000 Call 004107DE
:0040E7EB 6A00 push 00000000
:0040E7ED E82E060000 call 0040EE20
:0040E7F2 83C404 add esp, 00000004
:0040E7F5 85C0 test eax, eax
:0040E7F7 0F84DA020000 je 0040EAD7
<-this jump executes next
:0040E7FD 8B442408 mov eax, dword ptr [esp+08]
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:0040E7F7(C), :0040EAC6(C)
|
:0040EAD7 68307D4100 push 00417D30
<-land here
:0040EADC 8D4C240C lea ecx, dword ptr [esp+0C]
* Reference To: MFC42.Ordinal:035A, Ord:035Ah
|
:0040EAE0 E8F91C0000 Call 004107DE
:0040EAE5 A1307D4100 mov eax, dword ptr [00417D30]
:0040EAEA B9607C4100 mov ecx, 00417C60
:0040EAEF 50 push eax
* Possible StringData Ref from Data Obj ->"LastID"
|
:0040EAF0 68E4794100 push 004179E4
* Possible StringData Ref from Data Obj ->"UserID"
|
:0040EAF5 68AC754100 push 004175AC
* Reference To: MFC42.Ordinal:1903, Ord:1903h
|
:0040EAFA E84D1E0000 Call 0041094C
:0040EAFF 8B8C24CC010000 mov ecx, dword ptr [esp+000001CC]
:0040EB06 8B15307D4100 mov edx, dword ptr [00417D30]
:0040EB0C 51 push ecx
* Possible StringData Ref from Data Obj ->"Code"
|
:0040EB0D 68DC794100 push 004179DC
:0040EB12 52 push edx
:0040EB13 B9607C4100 mov ecx, 00417C60
* Reference To: MFC42.Ordinal:1903, Ord:1903h
|
:0040EB18 E82F1E0000 Call 0041094C
:0040EB1D 8B8424D0010000 mov eax, dword ptr [esp+000001D0]
:0040EB24 8B0D307D4100 mov ecx, dword ptr [00417D30]
:0040EB2A 50 push eax
* Possible StringData Ref from Data Obj ->"Name"
|
:0040EB2B 687C744100 push 0041747C
:0040EB30 51 push ecx
:0040EB31 B9607C4100 mov ecx, 00417C60
* Reference To: MFC42.Ordinal:1903, Ord:1903h
|
:0040EB36 E8111E0000 Call 0041094C
:0040EB3B 8D4C240C lea ecx, dword ptr [esp+0C]
* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:0040EB3F E8A61C0000 Call 004107EA
* Possible Reference to String Resource ID=00196: "Registration completed
successfully. All the limits have bee"
<-goody reg me with any code
=)
So all we have to do is:
Change this:
:0040E65C 0F8554010000 jne
0040E7B6
To this:
:0040E65C E95501000090 jmp
0040E7B6
or this:
:0040E65C 0F8454010000 je
0040E7B6
Now any name/code we put in will be regged!
Ok next look in the w32dasm Dialog Refs for "This program is working in Demo Mode." and when you double click that you will be taken here: 0040FCFA <-so scroll down until you get to this location.
* Referenced by a CALL at
Address:
|:0040EF38 <-finally,
we know are whole nag routine is called from here, check it below!
|
:0040FB50 6AFF push FFFFFFFF
:0040FB52 68DB234100 push 004123DB
:0040FB57 64A100000000 mov eax, dword ptr fs:[00000000]
:0040FB5D 50 push eax
:0040FB5E 64892500000000 mov dword ptr fs:[00000000], esp
:0040FB65 51 push ecx
:0040FB66 8B442414 mov eax, dword ptr [esp+14]
:0040FB6A 56 push esi
:0040FB6B 57 push edi
:0040FB6C 8BF1 mov esi, ecx
:0040FB6E 50 push eax
* Possible Reference to Dialog: DialogID_00B5
<-our NAG Dialog, check below
for more info.
|
:0040FB6F 68B5000000 push 000000B5
:0040FB74 89742410 mov dword ptr [esp+10], esi
* Reference To: MFC42.Ordinal:0144, Ord:0144h
|
:0040FB78 E8370C0000 Call 004107B4
:0040FB7D 8D7E60 lea edi, dword ptr [esi+60]
:0040FB80 C744241400000000 mov [esp+14], 00000000
:0040FB88 8BCF mov ecx, edi
* Reference To: MFC42.Ordinal:0237, Ord:0237h
|
:0040FB8A E81F0C0000 Call 004107AE
:0040FB8F C707E8394100 mov dword ptr [edi], 004139E8
:0040FB95 8DBEA0000000 lea edi, dword ptr [esi+000000A0]
:0040FB9B C644241401 mov [esp+14], 01
:0040FBA0 8BCF mov ecx, edi
* Reference To: MFC42.Ordinal:0237, Ord:0237h
|
:0040FBA2 E8070C0000 Call 004107AE
:0040FBA7 C707E8394100 mov dword ptr [edi], 004139E8
:0040FBAD 8DBEE0000000 lea edi, dword ptr [esi+000000E0]
:0040FBB3 C644241402 mov [esp+14], 02
:0040FBB8 8BCF mov ecx, edi
* Reference To: MFC42.Ordinal:0237, Ord:0237h
|
:0040FBBA E8EF0B0000 Call 004107AE
:0040FBBF C707E8394100 mov dword ptr [edi], 004139E8
:0040FBC5 8DBE20010000 lea edi, dword ptr [esi+00000120]
:0040FBCB C644241403 mov [esp+14], 03
:0040FBD0 8BCF mov ecx, edi
* Reference To: MFC42.Ordinal:0237, Ord:0237h
|
:0040FBD2 E8D70B0000 Call 004107AE
:0040FBD7 C707E8394100 mov dword ptr [edi], 004139E8
:0040FBDD 8D8E60010000 lea ecx, dword ptr [esi+00000160]
:0040FBE3 C644241404 mov [esp+14], 04
:0040FBE8 E86349FFFF call 00404550
:0040FBED 8D8EC4010000 lea ecx, dword ptr [esi+000001C4]
:0040FBF3 C644241405 mov [esp+14], 05
:0040FBF8 E85319FFFF call 00401550
:0040FBFD 8B4C240C mov ecx, dword ptr [esp+0C]
:0040FC01 C70648424100 mov dword ptr [esi], 00414248
:0040FC07 8BC6 mov eax, esi
:0040FC09 5F pop edi
:0040FC0A 5E pop esi
:0040FC0B 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040FC12 83C410 add esp, 00000010
:0040FC15 C20400 ret 0004
:0040FC18 90 nop <-dont
let this crap mess ya up, keep going up
:0040FC19 90 nop
:0040FC1A 90 nop
:0040FC1B 90 nop
:0040FC1C 90 nop
:0040FC1D 90 nop
:0040FC1E 90 nop
:0040FC1F 90 nop
:0040FC20 56 push esi
:0040FC21 8BF1 mov esi, ecx
:0040FC23 E8A8F6FFFF call 0040F2D0
:0040FC28 F644240801 test [esp+08], 01
:0040FC2D 7409 je 0040FC38
<-if this jump caught your
eye, look where it goes and you will see it isn't anything we are looking for
:0040FC2F 56 push esi
* Reference To: MFC42.Ordinal:0339, Ord:0339h
|
:0040FC30 E8850B0000 Call 004107BA
:0040FC35 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040FC2D(C)
|
:0040FC38 8BC6 mov eax, esi
:0040FC3A 5E pop esi
:0040FC3B C20400 ret 0004
:0040FC3E 90 nop
:0040FC3F 90 nop
:0040FC40 56 push esi
:0040FC41 8BF1 mov esi, ecx
:0040FC43 57 push edi
:0040FC44 8B7C240C mov edi, dword ptr [esp+0C]
:0040FC48 8D4660 lea eax, dword ptr [esi+60]
:0040FC4B 50 push eax
* Possible Reference to Dialog: DialogID_00B5, CONTROL_ID:0003, "&Ordering Info"
|
:0040FC4C 6A03 push 00000003
:0040FC4E 57 push edi
* Reference To: MFC42.Ordinal:08FE, Ord:08FEh
|
:0040FC4F E8840B0000 Call 004107D8
:0040FC54 8D8EA0000000 lea ecx, dword ptr [esi+000000A0]
:0040FC5A 51 push ecx
* Possible Reference to Dialog: DialogID_00B5, CONTROL_ID:0006, "Enter
Registration Code"
|
:0040FC5B 6A06 push 00000006
:0040FC5D 57 push edi
* Reference To: MFC42.Ordinal:08FE, Ord:08FEh
|
:0040FC5E E8750B0000 Call 004107D8
:0040FC63 8D96E0000000 lea edx, dword ptr [esi+000000E0]
:0040FC69 52 push edx
:0040FC6A 6A01 push 00000001
:0040FC6C 57 push edi
* Reference To: MFC42.Ordinal:08FE, Ord:08FEh
|
:0040FC6D E8660B0000 Call 004107D8
:0040FC72 8D8620010000 lea eax, dword ptr [esi+00000120]
:0040FC78 50 push eax
:0040FC79 6A02 push 00000002
:0040FC7B 57 push edi
* Reference To: MFC42.Ordinal:08FE, Ord:08FEh
|
:0040FC7C E8570B0000 Call 004107D8
:0040FC81 8D8E60010000 lea ecx, dword ptr [esi+00000160]
:0040FC87 51 push ecx
* Possible Reference to Dialog: DialogID_00B5, CONTROL_ID:0476, "www.optiergo.com"
<-on the nag
|
:0040FC88 6876040000 push 00000476
:0040FC8D 57 push edi
* Reference To: MFC42.Ordinal:08FE, Ord:08FEh
|
:0040FC8E E8450B0000 Call 004107D8
:0040FC93 81C6C4010000 add esi, 000001C4
:0040FC99 56 push esi
* Possible Reference to Dialog: DialogID_00B5, CONTROL_ID:046C, "This program is
working in Demo Mode. Su"
<-crappy nag we see at startup
and when its time to run the SS, keep going up
|
:0040FC9A 686C040000 push 0000046C
:0040FC9F 57 push edi
* Reference To: MFC42.Ordinal:08FE, Ord:08FEh
|
:0040FCA0 E8330B0000 Call 004107D8
:0040FCA5 5F pop edi
:0040FCA6 5E pop esi
:0040FCA7 C20400 ret 0004
:0040FCAA 90 nop
:0040FCAB 90 nop
:0040FCAC 90 nop
:0040FCAD 90 nop
:0040FCAE 90 nop
:0040FCAF 90 nop
:0040FCB0 B8E0414100 mov eax, 004141E0
:0040FCB5 C3 ret
:0040FCB6 90 nop <-dont
let this crap mess ya up, keep going up
:0040FCB7 90 nop
:0040FCB8 90 nop
:0040FCB9 90 nop
:0040FCBA 90 nop
:0040FCBB 90 nop
:0040FCBC 90 nop
:0040FCBD 90 nop
:0040FCBE 90 nop
:0040FCBF 90 nop
* Possible StringData Ref from Data Obj ->"Register"
|
:0040FCC0 686C7A4100 push 00417A6C
:0040FCC5 E8E6F6FFFF call 0040F3B0
:0040FCCA 59 pop ecx
:0040FCCB C3 ret
:0040FCCC 90 nop <-dont
let this crap mess ya up, keep going up
:0040FCCD 90 nop
:0040FCCE 90 nop
:0040FCCF 90 nop
:0040FCD0 6AFF push FFFFFFFF
:0040FCD2 6838244100 push 00412438
:0040FCD7 64A100000000 mov eax, dword ptr fs:[00000000]
:0040FCDD 50 push eax
:0040FCDE 64892500000000 mov dword ptr fs:[00000000], esp
:0040FCE5 83EC14 sub esp, 00000014
:0040FCE8 53 push ebx
:0040FCE9 55 push ebp
:0040FCEA 56 push esi
:0040FCEB 57 push edi
:0040FCEC 8BE9 mov ebp, ecx
* Reference To: MFC42.Ordinal:1266, Ord:1266h
|
:0040FCEE E80F0B0000 Call 00410802
:0040FCF3 8DB5C4010000 lea esi, dword ptr [ebp+000001C4]
:0040FCF9 55 push ebp
* Possible Reference to Dialog: DialogID_00B5, CONTROL_ID:046C, "This program is
working in Demo Mode. Su"
<-crappy nag we see at startup and when its time to run the SS(start here and
trace up)
|
:0040FCFA 686C040000 push 0000046C
:0040FCFF 8BCE mov ecx, esi
:0040FD01 89742428 mov dword ptr [esp+28], esi
* Reference To:
MFC42.Ordinal:0217, Ord:0217h
|
:0040EF07 E8B6190000 Call 004108C2
:0040EF0C 889C2474020000 mov byte ptr [esp+00000274], bl
:0040EF13 E838F4FFFF call 0040E350
:0040EF18 83C408 add esp, 00000008
:0040EF1B 85C0 test eax, eax
:0040EF1D 0F851A010000 jne 0040F03D
<-if taken, regged and no nag!
This is the one!
:0040EF23 8B842474020000 mov eax, dword ptr [esp+00000274]
:0040EF2A 85C0 test eax, eax
:0040EF2C 0F845C030000 je 0040F28E
<-if taken, no nag but not
regged
:0040EF32 6A00 push 00000000
:0040EF34 8D4C2418 lea ecx, dword ptr [esp+18]
:0040EF38 E8130C0000 call 0040FB50
<-call above nag routine
:0040EF3D 8D4C2414 lea ecx, dword ptr [esp+14]
:0040EF41 C684246C02000005 mov byte ptr [esp+0000026C], 05
So all we have to do is change this:
:0040EF1D 0F851A010000 jne
0040F03D
To this:
:0040EF1D E91B01000090 jmp
0040F03D
Or this:
:0040EF1D 0F841A010000 je
0040F03D
Now we will startup with no nag and the program will be regged and you can reg a
bunch more users as well if ya like.
Now how did we know this:
* Possible Reference to
Dialog: DialogID_00B5
<-our NAG Dialog
Easy just look at the beginning of the program and you will see this in w32dasm:
Name: DialogID_00B5, # of
Controls=006, Caption:"Anti-EyeStrain - Registraion", ClassName:""
001 - ControlID:046C, Control Class:"STATIC" Control Text:"This program is
working in Demo Mode. Suggested exercises are only provided as"
002 - ControlID:0002, Control Class:"BUTTON" Control Text:"&Quit"
003 - ControlID:0001, Control Class:"BUTTON" Control Text:"&Demo"
004 - ControlID:0003, Control Class:"BUTTON" Control Text:"&Ordering Info"
005 - ControlID:0006, Control Class:"BUTTON" Control Text:"Enter Registration
Code"
006 - ControlID:0476, Control Class:"STATIC" Control Text:"www.optiergo.com"
See that the name is the same so there ya go, we could have searched out the nag
by looking for that dialog ID instead of the message =)
Cracked!
Laterz!
|
Final thoughts |
|---|
Dammit my eyes hurt now....
Laterz!
|
Greetings |
|---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.